Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1091 | Replication Through Removable Media |
| AC-6 | Least Privilege | Protects | T1091 | Replication Through Removable Media |
| CM-2 | Baseline Configuration | Protects | T1091 | Replication Through Removable Media |
| CM-6 | Configuration Settings | Protects | T1091 | Replication Through Removable Media |
| CM-8 | System Component Inventory | Protects | T1091 | Replication Through Removable Media |
| MP-7 | Media Use | Protects | T1091 | Replication Through Removable Media |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1091 | Replication Through Removable Media |
| SC-41 | Port and I/O Device Access | Protects | T1091 | Replication Through Removable Media |
| SI-3 | Malicious Code Protection | Protects | T1091 | Replication Through Removable Media |
| SI-4 | System Monitoring | Protects | T1091 | Replication Through Removable Media |